ISM3 Courses

Improve your skills

ISM3 Deliverables

ISM3 Consortium
Standards that work

ISM3 is a framework for Information Security Management Systems. ISM3 looks at defining levels of security that are appropriate to the business mission and render a high return on investment.

 ISM3 at The Open Group Conference, Seattle February 2010

Seattle 2010

Sessions include:

  • “Changing the Conversation” — Enterprise Architecture Practitioners Conference Plenary
  • The Language of the Business Architect — Enterprise Architecture Practitioners Conference Plenary
  • Moving Information Security Management From Art to Science — Security Practitioners Conference Plenary

Security is featured at the Conference with specific emphasis on the role of security within EA as well as current security initiatives, including the Information Security Management Maturity Model (ISM3).  Sessions include:

  • Overview of ISM3 Fundamentals. This session will discuss the basics of ISM3, strengths of the approach, and how it is compatible with and used in conjunction with other standards.
  • ISM3 Implementation Case Study – Cajamadrid’s Case Study, how to implement ISM3 bottom-up and top down.
Submit Presentation


Capgemini  HP  HSBC   IBM  NEC  SAP Sun Microsystems


Latest ISM3 version Published April 2009

The ISM3 Consortium has published the print version of Information Security Management Maturity Model (ISM3) v2.3. The method has been updated with security management metrics proven in the field, and a new approach that defines security maturity objectively as a direct result of the metrics used to manage information security processes.

The main novelties are:

  • Capability is not subjective any more. It depends on what types of metrics are used to manage every process. ISM3 is the first method that defines capability this way.
  • Metric types are now 7 instead of 4. Activity, Unavailability,Scope, Load, Quality, Efficacy and Efficiency.
  • GP-1 Document Management is updated to GP-1 Knowledge Management.
  • TSP-6 Define environments and lifecycles is updated to TSP-6 Security Architecture
  • OSP-23 Events Detection and Analysis is updated to OSP-23 Internal Events Detection and Analysis.
  • New process OSP-28 External Events Detection and Analysis takes care of reputation, copyright violations and phishing.
  • New process TSP-14 Information Operations includes intelligence andmisinformation.
  • Maturity levels have been renamed as follows: Basic Level, SME Level, eCommerce Level, Enterprise Level and Military Level.
  • Enhanced metric management guidance (Measurement-Interpretation-Investigation-Representation-Diagnosis)

 Get ISM3 v2.3 here.

ISM3 showcased at... 

  • III Encuentro Nacional de la Industria de la Seguridad en España 27-29 October 2009 Antonio Gordo, CajaMadrid .
  • Miguel Ángel Navarrete , Cajamadrid 's CISO, recommended ISM3 during Securmática 2009 .
  • II Encuentro Nacional de la Industria de la Seguridad en España 22-24 October 2008 Antonio Gordo, CajaMadrid .
  • VIII Jornada Nacional de Seguridad Informática 18-20 June 2008 -  Juan Carlos Reyes, Seltika.
  • ISACA Winnipeg November Security Management Conference 6th of November 2007 -  Anthony B. Nelson, ESTEC.
  • OWASP Security Summit 25th of October 2007 -  Mahi Dontamsetti, M3-Security.
  • Comtec, 22nd of May 2007 (Session BI – 210) - Mahi Dontamsetti, M3-Security.

Latest Articles and Links

  • Usefulness of an Information Security Management Maturity Model March 2008 Article
  • Steven McElwee's article on ISM3 Maturity Levels, July, 2007
  • ENISA Quarterly July 2007 Metrics Article
  • Hindu Business Online Article
  • ISO27001.ES Podcast (in Spanish)
  • ISSA Journal's October 2006 Article

Learn more:

Home About ISM3 Courses Improve your skills ISM3 Deliverables References